Path: utzoo!utgpu!watserv1!watmath!att!linac!pacific.mps.ohio-state.edu!zaphod.mps.ohio-state.edu!think.com!barmar
From: barmar@think.com (Barry Margolin)
Newsgroups: comp.protocols.nfs
Subject: Re: Why not export /fs /fs/subdir?
Message-ID: <1991Jun17.224716.4729@Think.COM>
Date: 17 Jun 91 22:47:16 GMT
References: <felps.676828666@convex.convex.com> <10199@star.cs.vu.nl> <SHIRONO.91Jun17112649@gcx1.ssd.csd.harris.com>
Sender: news@Think.COM
Reply-To: barmar@think.com
Organization: Thinking Machines Corporation, Cambridge MA, USA
Lines: 24

In article <SHIRONO.91Jun17112649@gcx1.ssd.csd.harris.com> shirono@ssd.csd.harris.com writes:
>In article <10199@star.cs.vu.nl> sater@cs.vu.nl (Hans van Staveren) writes:
>> This means that when you export /fs/foo where /fs is a filesystem a
>> client can mount /fs/foo and using the NFS handle returned do the NFS
>> equivalent of a cd .. and start running around the rest of /fs.
>So, the onus is on the client to disallow the scenario you mention.

What kind of security is that?  Isn't the point of /etc/exports that it
restricts who can access what?  If it depends on the client not to try to
violate some convention, then it's not much of a restriction, is it?

Consider the following common situation on servers of diskless workstations:

/export/root/foo -access=foo,root=foo
/export/root/bar -access=bar,root=bar

While most NFS implementations won't allow foo to access bar's partition, a
superuser on foo could easily write a program that sends fake NFS requests,
and then access server:/export/root/foo/../bar.
-- 
Barry Margolin, Thinking Machines Corp.

barmar@think.com
{uunet,harvard}!think!barmar